/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE90_LDAP_Injection__getQueryString_Servlet_22a.java Label Definition File: CWE90_LDAP_Injection.label.xml Template File: sources-sink-22a.tmpl.java */ /* * @description * CWE: 90 LDAP Injection * BadSource: getQueryString_Servlet Parse id param out of the URL query string (without using getParameter()) * GoodSource: A hardcoded string * Sinks: * BadSink : data concatenated into LDAP search, which could result in LDAP Injection * Flow Variant: 22 Control flow: Flow controlled by value of a public static variable. Sink functions are in a separate file from sources. * * */ package testcases.CWE90_LDAP_Injection; import testcasesupport.*; import javax.servlet.http.*; import javax.naming.*; import javax.naming.directory.*; import java.util.Hashtable; import java.util.logging.Level; public class CWE90_LDAP_Injection__getQueryString_Servlet_22a extends AbstractTestCaseServlet { /* The public static variable below is used to drive control flow in the source function. * The public static variable mimics a global variable in the C/C++ language family. */ public static boolean badPublicStatic = false; public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; badPublicStatic = true; data = (new CWE90_LDAP_Injection__getQueryString_Servlet_22b()).badSource(request, response); Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } /* The public static variables below are used to drive control flow in the source functions. * The public static variable mimics a global variable in the C/C++ language family. */ public static boolean goodG2B1PublicStatic = false; public static boolean goodG2B2PublicStatic = false; public void good(HttpServletRequest request, HttpServletResponse response) throws Throwable { goodG2B1(request, response); goodG2B2(request, response); } /* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; goodG2B1PublicStatic = false; data = (new CWE90_LDAP_Injection__getQueryString_Servlet_22b()).goodG2B1Source(request, response); Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } /* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the sink function */ private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; goodG2B2PublicStatic = true; data = (new CWE90_LDAP_Injection__getQueryString_Servlet_22b()).goodG2B2Source(request, response); Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } /* Below is the main(). It is only used when building this testcase on * its own for testing or for building a binary to use in testing binary * analysis tools. It is not used when compiling all the testcases as one * application, which is how source code analysis tools are tested. */ public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException { mainFromParent(args); } }